One of the more challenging parts of completing a SOC 1 or SOC 2 audit is distinguishing between a vendor and a subservice organization. In this blog post, we expand on blog post (https://kfinancial.com/how-to-identify-subservice-organizations-in-soc-1-and-soc-2-reports/) over subservice organizations to cover a specific type of vendor: managed detection and response (MDR) vendors.
Many organizations use MDR vendors to ingest data from various information sources, analyze and evaluate the data using proprietary methodologies, and alert the organization of potential security events and incidents. This process allows organizations to focus their security event and incident processes on anomalies that have been deemed more significant due to the MDR vendor’s initial analysis. Additionally, using an MDR vendor can make the SOC audit more effective and efficient by aggregating listings of all security events within a given period. SOC auditors often use these listings to sample security events that have occurred during the period and evaluate management’s security event and incident management controls that help organizations meet SOC 1 control objectives or SOC 2 trust services criteria.
When using an MDR vendor, it is important to consider the significance of their role in the security event and incident management process in the context of SOC 1 and SOC 2 reports. This is because the proper presentation of a subservice organization is a requirement for a company’s system description in a SOC 1 or SOC 2 report. The AICPA defines subservice organizations for purposes of a SOC 1 report as the following: “A service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.” Similarly, the AICPA defines subservice organizations for purposes of a SOC 2 report as the following: “A vendor used by a service organization that performs controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved.”
Organizations should consider the definitions in the paragraph above when evaluating whether their MDR vendor is a subservice organization or only a vendor. When an MDR vendor uses inputs from different information sources such as Security Information and Event Management (SIEM) tools and log management tools; analyzes potential anomalies; determines the severity of a threat using their proprietary methodology; and alerts management of the potential threat, management and the SOC auditor would typically conclude that the MDR vendor plays a significant role in the organization’s security event and incident management control processes. In this example, it is unlikely that anomalies would be subjected to the organization’s security event and incident management control processes described in the SOC 1 or SOC 2 report unless the MDR vendor raises the issue first. That is, if the MDR vendor does not notify the organization of potential security events, an event or incident could go unnoticed. If potential security events or incidents are not addressed, certain SOC 1 control objectives or SOC 2 trust services criteria related to security event and incident management would not be met. This level of reliance indicates the MDR vendor should be classified as a subservice organization in a SOC 1 or SOC 2 report.
If the organization has controls in place to log anomalies and security event information; analyze potential anomalies; determine the severity of threats; and mitigate any resulting security events and incidents without reliance on an MDR vendor’s detection and alerting processes alone, then the MDR vendor is most likely not a subservice organization.
Distinguishing between a vendor and a subservice organization in the context of security event and incident management is a highly judgmental decision. If your organization has any questions when making this determination, it is always a good idea to contact your SOC 1 or SOC 2 auditor!